Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 18:05
Static task
static1
Behavioral task
behavioral1
Sample
1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe
-
Size
414KB
-
MD5
1dbab2dfd53fa6481e4f349d74ca6798
-
SHA1
96301fd3a1d6c4a4c79af509b1601061c7296f94
-
SHA256
3a903150a230d5a6f08058cddedf503aa25076b489690a092b3ee46298cfd531
-
SHA512
9aeb8ead2f4254d8f6e8d900cc5904f0950867d9c6aecb660c2c5fc75c80699b34921caaf991505a215bc798dba0b074de53b7509a44d4a15b2b1f3a98ae659d
-
SSDEEP
6144:bHnBfTXqlbSpwEiCbjKDVVH4q9D9izTG+mBoaXjauY4/2FE:bBqbgwb/DVVH4yD9i25BoarYzFE
Malware Config
Extracted
nanocore
1.2.2.0
smithhk.ddns.net:4782
963de217-df7f-4e6b-92bd-1e43f6c4f226
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-04-27T02:01:46.610026136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
4782
-
default_group
Frosh Benz
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
963de217-df7f-4e6b-92bd-1e43f6c4f226
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
smithhk.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
Processes:
1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\..url 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exedescription pid process target process PID 112 set thread context of 2420 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exeRegAsm.exepid process 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe 2420 RegAsm.exe 2420 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 2420 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe Token: SeDebugPrivilege 2420 RegAsm.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.execsc.exedescription pid process target process PID 112 wrote to memory of 2668 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe csc.exe PID 112 wrote to memory of 2668 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe csc.exe PID 112 wrote to memory of 2668 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe csc.exe PID 112 wrote to memory of 2668 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe csc.exe PID 2668 wrote to memory of 2488 2668 csc.exe cvtres.exe PID 2668 wrote to memory of 2488 2668 csc.exe cvtres.exe PID 2668 wrote to memory of 2488 2668 csc.exe cvtres.exe PID 2668 wrote to memory of 2488 2668 csc.exe cvtres.exe PID 112 wrote to memory of 2540 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe schtasks.exe PID 112 wrote to memory of 2540 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe schtasks.exe PID 112 wrote to memory of 2540 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe schtasks.exe PID 112 wrote to memory of 2540 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe schtasks.exe PID 112 wrote to memory of 1680 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe schtasks.exe PID 112 wrote to memory of 1680 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe schtasks.exe PID 112 wrote to memory of 1680 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe schtasks.exe PID 112 wrote to memory of 1680 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe schtasks.exe PID 112 wrote to memory of 2420 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe PID 112 wrote to memory of 2420 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe PID 112 wrote to memory of 2420 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe PID 112 wrote to memory of 2420 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe PID 112 wrote to memory of 2420 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe PID 112 wrote to memory of 2420 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe PID 112 wrote to memory of 2420 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe PID 112 wrote to memory of 2420 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe PID 112 wrote to memory of 2420 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe PID 112 wrote to memory of 2420 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe PID 112 wrote to memory of 2420 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe PID 112 wrote to memory of 2420 112 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1i033x1w\1i033x1w.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2665.tmp" "c:\Users\Admin\AppData\Local\Temp\1i033x1w\CSC677D710CA27C4C24A8AC3AA7EF177BF0.TMP"3⤵PID:2488
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /query2⤵PID:2540
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /sc MINUTE /tn Intel /MO 1 /tr "C:\Users\Admin\AppData\Roaming\null\2⤵
- Creates scheduled task(s)
PID:1680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
C:\Windows\system32\taskeng.exetaskeng.exe {DDD22CF5-D4E7-43A0-8ABB-9225C7372A25} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]1⤵PID:2436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD51eb72ef87f3b3192a85d7baaf0bba5de
SHA1224ac941518bce99fd86c1915ceea0811580b8e2
SHA256e850b72396bd1d0a3e044179a0cf90036660cf1bdfa1b1aab189ba70cf0305c3
SHA51277c188baa0378318702ff03abd47c66561845ecc67f3902a0df68f5233a108e73d01aecc0cc4a9ad005e89773bddd1cc844780c99851370e1b9ebd1dbf00abc7
-
Filesize
25KB
MD517d7c39ee60c41a171399224f5fe875f
SHA1236b90ec2dc254222d89e8637790cb14c619da20
SHA25682fbe1e585d1f1ada97935c76852caf4a641b995d02a69e1bbc471a6100f8fcb
SHA5121578427a0a50d29b4bfbf1feeb9165e3c6aa5a792b43ba3d77851e2fdc69170b86aea88adc412c4e441740b57453571369365f0990d8e93ab50d916fd261d4a1
-
Filesize
1KB
MD5f94dffec592d234baba7811193fc96ec
SHA1f034ffe0603e7dee7478121f7e57efdb360eea81
SHA2563362c95afa86e1ed2e81ad9fb1b07d50a9e36fa83e52565f59885f4c4223687e
SHA5122b716aee6bd593925e6484093f43af0f837b48b0b54ce8cc7d04f51fa77d631639d409c46e4b3f023093783e5226e44ed324467979c05b605cff2bf14a06b74e
-
Filesize
10KB
MD521cd1b3e77c3f770205babc7a862c6ef
SHA1ee71e8ef404a95d7f77e2421d5892f349d0fc2be
SHA256905250aa3670ddec5a3a4d3c2427190f973fe3c669b030884b5ef7da6339b075
SHA512806ce8d2162864331b29ebb1fe0bf814965db9077c537d5a0b9c13294c1edcba6e11c5f929824a3aef8680097e0322c09481f4aaa450cceee788591f6d2441b4
-
Filesize
312B
MD5b62b62d8c2cfabf7f7b97cbd0dbeb6ce
SHA184179fb86a0c94ebb345f62df97fe71fce25624f
SHA2560e70c70e6de83eeaa875d7cb726095edc2671c050df658ec07f97acaa0ffacd5
SHA5121a012aa5a894ef4b002ce79c77ebd2b0853fdc10f2eaec8025bbbed7dd4c0aa41fdb8fba2375f8e39f690884cfd09f746fe956c01a4beac24583eac0bc6fd498
-
Filesize
1KB
MD5b8a3b8f4f42256c7b24bcbfbbbd8465b
SHA164ecf56bfb45e8f6aa323155a10e8a3a72e9a087
SHA25634e1bbb560360bf5925db35dd6eaa742428738c9e72ed320237c4e8da8e86237
SHA512882c657de6b3cd04f9e45ae260820a6f9965d450203101953d4bb439f3a306e312bccec52bc7760c3d00a3022a828fbd05dcd8789e9169d0247cad5a990e596a